WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] Re: What is more secure? HVM or PV ?

To: "Mark Williamson" <mark.williamson@xxxxxxxxxxxx>
Subject: Re: [Xen-devel] Re: What is more secure? HVM or PV ?
From: "David Pilger" <pilger.david@xxxxxxxxx>
Date: Mon, 25 Dec 2006 15:15:43 +0200
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 25 Dec 2006 05:15:40 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=bc2SmKGWLlHZzY2cVDaRuJ0iRLsr+73sILcaLOoPP0f7y0/xIFipiW2xOYY40zdfAhe2CsDAy8a48FcSP8M9agxOnsMMEXWq6s28kkvdYvPGw1QOvBb1ZQ6M08ev6KEK5KZdX1ZWfN9R0dHHdpnnqWl4VoV6zgPKa1orhD4IGys=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <200612231752.42296.mark.williamson@xxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <280848580612180840k666dde6fmb02a04b69cd75da@xxxxxxxxxxxxxx> <280848580612190035s27e91e67l81511abc50cfae91@xxxxxxxxxxxxxx> <200612231752.42296.mark.williamson@xxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
For PV:
The explicit hypercall API would be one possible attack vector - exploiting
any bugs in Xen.  The memory mapping interface could also be an attack vector
(including both the paravirtualised and various shadowing code paths).

PV also could be attacked in principle via the frontend / backend drivers - if
the backend driver could be compromised and made to execute arbitrary code
(or even write abitrary code to dom0's filesystem / swapfile for later
executation) then it would be possible to take over the whole machine.

The PV components have been in place for longer and have probably received
more scrutiny.  The HVM components are rather complex and have received, I
think, less eyeballing.  I'd guess (and it is really a guess) that I'd have
more confidence in PV from a security point of view, but that's definitely
not to say that there's anything specifically *wrong* with the HVM code, just
that it's less mature.


I agree, I think that because the PV API is also exposed to HVMs
(PV-on-HVM), we can conclude that HVMs are theoretically less secure,
becuase they have more attack vectors.

David.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel